b'Office of the Inspector General\nSkip to content\nSocial Security Online\nOffice of the Inspector General\nwww.socialsecurity.gov\nHome\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Questions?\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Contact\nUs\nSearch\nAbout\nHotline\nOffices\nResources\nEspa\xc3\xb1ol\nOIG Home\nAudit\nReport - A-03-96-31004\nOffice\nof Audit\nReview of Selected Controls over the\nSocial Security Initiated Personal Earnings and Benefit Estimate\nStatements (SIPEBES)\xc2\xa0 A-03-96-31004\xc2\xa0 12/29/97\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY\nINTRODUCTION\nRESULTS OF REVIEW\nAccuracy of SIPEBES\nPhysical Security\nat KPT\nAbsence\nof Established Security Plan Requirements\nCONCLUSIONS\nAND RECOMMENDATIONS\nAPPENDICES\nB - Major Contributors to this\nReport\nEXECUTIVE SUMMARY\nOBJECTIVE\nThe objectives of this review were to determine whether\nthe Social Security Administration (SSA) accurately extracted and\ntransmitted earnings data from its Master Earnings File (MEF) onto\nthe Social Security Initiated Personal Earnings and Benefit Estimate\nStatements (SIPEBES) and whether controls at the contractor, who\nprints and distributes SIPEBES, are adequate to safeguard this data\nagainst improper disclosure.\nBACKGROUND\nSIPEBES. SIPEBES. Section 1143 of the\nSocial Security Act requires SSA to begin an automatic distribution\nof yearly earnings and benefit estimate statements to eligible individuals.\nSIPEBES provides individuals with the opportunity to review their\nearnings records for accuracy. It also serves as a useful tool for\nindividuals in planning for their economic security in the event\nof retirement, disability, or death. SIPEBES provides individuals\nwith their earnings history year by year, estimated Social Security\ntaxes paid, and an estimate of future retirement and disability benefits,\nas well as potential survivor benefits should the individual die.\nDistribution of SIPEBES began in February 1995 to individuals\n60 years of age and older. Since then, other age groups have and\nwill continue to be added in phases until Fiscal Year (FY) 2000 when\nall age groups in the program (about 123 million individuals) will\nreceive yearly statements.\nSIPEBES Contractor. SIPEBES Contractor.\nKPT Incorporated (KPT), located in Dallas, Texas, is the current\ncontractor who prints and distributes SIPEBES to individuals for\nSSA. KPT was selected by the Government Printing Office (GPO) from\na number of competitive bidders to perform the work for Calendar\nYears (CY) 1997 and 1998. The company has past experience distributing\nsimilar earnings statements for SSA. In CY 1995, KPT distributed\nPersonal Earnings and Benefit Estimate Statements that were requested\nby individuals.\nOur review was performed in accordance with generally\naccepted government auditing standards and included tests of internal\ncontrols and compliance with laws and regulations, to the extent\nnecessary, to meet the objectives of our audit. Field work was performed\nat SSA Headquarters in Baltimore, Maryland; at KPT in Dallas, Texas;\nand at our field office in Philadelphia, Pennsylvania, between December\xc2\xa01996\nand May 1997.\nRESULTS OF REVIEW\nThe earnings reported to the public on their\nSIPEBES accurately reflected SSA`s earnings records. The\nearnings reported to the public on their SIPEBES accurately reflected\nSSA`s earnings records. There were no reportable discrepancies.\nOur testing of completed SIPEBES combined with our examination\nof SSA`s functional requirements and validation tests to\nensure the system`s accuracy showed that the system was working\nproperly.\nIn general, the physical security controls at\nthe SIPEBES contractor`s site were adequate. In general,\nthe physical security controls at the SIPEBES contractor`s\nsite were adequate. We saw no indication of any significant internal\ncontrol breakdowns of physical security at the site. The contractor\nmanagement showed a supportive attitude toward their control\nresponsibilities and contractor personnel were generally aware\nof the control procedures they were to follow and their respective\nresponsibilities.\nThe security requirements in place for the SIPEBES\ninformation system, covering the contractor, need to be improved\nto meet established security plan requirements. The security\nrequirements in place for the SIPEBES information system, covering\nthe contractor, need to be improved to meet established security\nplan requirements. The current security requirements are mainly\ncontained in 1) a contract with the SIPEBES contractor and 2)\na general security plan submitted to SSA by the contractor. Neither\nthe contract nor the general security plan, however, address\nall established security plan requirements. We believe that SSA\nneeds a written security plan which follows established security\nplan requirements for this sensitive information system to be\nin full compliance with the law. The Privacy Act of 1974, the\nComputer Security Act of 1987, and the Office of Management and\nBudget (OMB) Circular A-130, together, require SSA management\nto establish special security plans in writing to cover all employees\nfor sensitive information systems such as SIPEBES.\nRECOMMENDATIONS\nWe recommend that SSA develop a security plan which\nincludes:\nspecific security requirements for contractor personnel\nto follow, and the consequences for not following them;\nsystems security awareness initiatives and security-related\ntraining programs for contractor personnel based on the requirements;\nand\nperiodic security inspections at the contractor\xc2\x92s\nsite to ensure that the plan is operating and/or to determine whether\nfurther improvements are needed.\nAGENCY COMMENTS\nSSA responded to a draft of this report and agreed\nwith our findings and recommendations to address the internal control\nweaknesses identified in that report. Some minor revisions have been\nincorporated into this report based on SSA\xc2\x92s comments. SSA\xc2\x92s\nwritten response is included in its entirety as Appendix A.\nINTRODUCTION\nOBJECTIVES\nThe objectives of our review were to determine whether\nSSA accurately extracted and transmitted earnings data from its MEF\nonto SIPEBES and whether controls at the contractor, who prints and\ndistributes SIPEBES, are adequate to safeguard this data against\nimproper disclosure.\nBACKGROUND\nOverview of the SIPEBES Program. Overview\nof the SIPEBES Program. Section 1143 of the Social Security Act requires\nSSA to begin an automatic distribution of yearly earnings and benefit\nestimate statements to eligible individuals. Eligible individuals\nare persons age 25 and older who are nonbeneficiaries, have a Social\nSecurity number (SSN), and have wages or net earnings from self-employment.\nSIPEBES distribution began in FY 1995 with statements\nissued to individuals 60\xc2\xa0years of age and older. Since then,\ndistribution has expanded in phases to include younger workers. Beginning\nin FY 2000, SSA`s ultimate goal, through one or more contractors,\nis to send out about 123 million statements yearly to all eligible\nindividuals.\nSSA expects the initial statements to produce significant\ngeneral inquiries, earnings corrections, and other public contact\nworkloads. The public will be able to review their earnings record\nand, with appropriate documentation, have SSA make corrections if\nnecessary. Maintaining accurate earnings records for individuals\nis very important, since Social Security benefit payments are based\non average lifetime earnings.\nIn addition to providing yearly earnings history, estimated\nSocial Security taxes paid, and benefit estimates, SIPEBES contains\nother information. Also shown is a message from the Commissioner\nof Social Security explaining the purpose of SIPEBES; identifying\ninformation such as name, SSN(s), and date of birth; Medicare wages\nand estimated Medicare taxes paid; and answers to some frequently\nasked questions.\nSIPEBES Contractor. SIPEBES Contractor.\nKPT, located in Dallas, Texas, is the current contractor who prints\nand distributes SIPEBES to eligible individuals. This process begins\nat SSA\xc2\x92s National Computer Center (NCC), located in Baltimore,\nMaryland. The NCC electronically transmits SIPEBES data to KPT from\nSSA`s records on a daily basis. From these transmissions, KPT\nprints this data onto SIPEBES forms and then delivers them to the\nU.S. Post Office where they are mailed to individuals.\nThis contractor has past experience performing similar\nwork for SSA. In 1995, GPO awarded KPT a 1-year competitive contract\nto print and distribute similar earnings statements known as OR-PEBES\n(On Request Personal Earnings and Benefit Estimate Statements). Recently,\nKPT was awarded the SIPEBES competitive contract by GPO. This contract\nperiod covers about 2 years and will expire on December 31, 1998.\nSecurity Requirements. Security Requirements.\nThere are a number of security requirements applicable to the SIPEBES\ninformation system:\nThe Privacy Act of 1974, requires Federal agencies\nthat maintain a system of records to establish rules of conduct\nand instruction for persons involved with that system. In addition,\nsection 552(e)(10) of the Privacy Act requires Federal agencies\nto establish appropriate administrative, technical, and physical\nsafeguards to ensure the security and confidentiality of records,\nand to protect against any anticipated threats or hazards to their\nsecurity or integrity which could result in substantial harm, embarrassment,\ninconvenience, or unfairness to any individual on whom information\nis maintained.\nThe Computer Security Act of 1987 requires agencies\nto develop security plans for all Federal computer systems that\ncontain sensitive data, and to provide mandatory training in security\nfor all individuals with access to the systems.\nOMB Circular A-130, Appendix III, Security of Federal\nAutomated Information Resources, in accordance with the Computer\nSecurity Act of 1987, requires Federal agencies to establish a\nsecurity awareness and training program. The Circular also requires\nagencies to provide mandatory, periodic training in computer security\nawareness and accepted security practice for all employees who\nare involved with the management, use, or operation of a Federal\ncomputer system within or under the supervision of the Federal\nagency. The requirement includes contractors, as well as employees\nof the agency.\nOMB Circular No. 123, Management Accountability and\nControl, and the Federal Managers\xc2\x92 Financial Integrity Act\nrequire reporting as a deficiency, significant weaknesses identified\nduring the review of security controls.\nSSA\xc2\x92s Systems Security Handbook summarizes the\nstatutory requirements SSA is subject to in order to protect the\nsensitive information it gathers and maintains. It also states\nthe administrative controls SSA must establish to prevent fraud,\nwaste, and abuse. The Agency must also ensure that contractor personnel\nabide by these systems security requirements.\nSCOPE\nOur audit was conducted in accordance with generally\naccepted government auditing standards and included tests of internal\ncontrols and compliance with laws and regulations, to the extent\nnecessary, to meet the objectives of our audit.\nTo achieve our first objective, we compared the earnings\nshown on 300\xc2\xa0completed SIPEBES to SSA\xc2\x92s earning records.\nThese 300 SIPEBES were processed by the contractor over a 3-day period\n(100 each day) and were judgmentally selected by the auditors. They\nwere chosen from batches printed at KPT during the early stages of\ninitial production. The contractor printed an additional copy of\nthe selected SIPEBES for the auditors to evaluate. The yearly earnings\nshown in the columns titled "Social Security Your Reported Earnings" and "Medicare\nYour Reported Earnings," were matched against the yearly earnings\nshown on SSA\xc2\x92s MEF.\nWe also reviewed and evaluated SSA\xc2\x92s validation\nof the computer system used to transmit SIPEBES data from the NCC\nto the contractor. Systems validation is a user-acceptance process\nwhich ensures the released software meets the functional requirements\nand does not adversely affect any other parts of the system.\nTo accomplish our second objective, we interviewed\nKPT management and staff; reviewed their general security plan, policies,\nand procedures; and observed and assessed their SIPEBES control environment\nover a 4-day period. We also made inquiries about security policies\nand procedures with SSA personnel at Headquarters, and with the responsible\nGPO contracting officer.\nBecause our review was limited, it would not necessarily\nhave disclosed all internal control deficiencies that may have existed\nat the time of our audit. We did not review SSA\xc2\x92s system that\nposts earnings to MEF and estimates benefits on SIPEBES. Our review\nwas conducted in Dallas, Texas; Baltimore, Maryland; and Philadelphia,\nPennsylvania. The audit field work was conducted from December\xc2\xa01996\nto May 1997.\nRESULTS OF REVIEW\nACCURACY OF SIPEBES\nComparison of SIPEBES to MEF\nSSA`s SIPEBES system accurately transfers individuals\xc2\x92 recorded\nearnings from its internal records onto SIPEBES. In addition, SSA\nadequately tested the system prior to implementing it. We compared\nthe earnings shown on 300 judgmentally selected SIPEBES to earnings\nrecorded on SSA\xc2\x92s records. These SIPEBES were selected from\nbatches run by the contractor. Our comparison of selected SIPEBES\ninformation to SSA\xc2\x92s MEF found no discrepancies that would cause\nSIPEBES misstatements. However, there were several instances where\nearnings records showed earnings in excess of the taxable maximum.\nThe SIPEBES program correctly extracted the taxable maximum for statement\npurposes.\nSystems Validation\nWe reviewed SSA\xc2\x92s validation process to determine\nwhether SSA\xc2\x92s system was certified as being capable to accurately\ntransfer earnings data from SSA records to SIPEBES. SSA uses its\nSoftware Engineering Technology (SET) Manual to define the process\nof systems development and maintenance. The SET Manual details the\npolicies, standards, and guidelines used in the systems life-cycle\ndevelopment process.\nSSA followed the criteria as stated in the SET Manual\nin evaluating the system prior to releasing it for use and had a\nvalidation plan listing validation data base requirements, transaction\ndefinitions, and a validation schedule. SIPEBES format specifications\nwere prepared by SSA for the vendor. Validation runs and reports\nwere documented, and as a final step in the evaluation process, a\nsystem release certification was prepared.\nThe system release certification states that: (1) changes\nhave been tested; (2) the release contains all agreed to changes,\nand only those changes; (3) system capacity and security requirements\nare met; (4) operating procedures have been provided; (5) required\ndocumentation has been prepared; and (6) control, auditability, security,\nand privacy requirements have been met.\nPHYSICAL SECURITY\nAT KPT\nIn general, the physical security controls at KPT are\nadequate. We saw no indication of any significant internal control\nsecurity breakdowns. The company has about 52 employees working 3\nshifts in its 1 location. The facility is a 50,000-square foot building\nlocated in north Dallas. There are nine entrances including a main\nentrance, a client service entrance, two loading docks, and five\nother doors. All entrances are secured, and there are a total of\neight security cameras throughout the building, including two at\nthe loading docks.\nBoth the data processing and printing rooms are secured\nareas with working security cameras. Transfer logs are used to record\nthe movement of SIPEBES from these areas to the mailroom. The forms\nare secured with plastic wrapping in the mailroom and delivered to\na U.S. Post Office weekly.\nWe found that KPT management understood and implemented\ntheir control obligations and KPT personnel were generally aware\nof the control procedures they were to follow and their respective\nresponsibilities.\nABSENCE\nOF ESTABLISHED SECURITY PLAN REQUIREMENTS\nThe current written plan for the SIPEBES information\nsystem covering contractor employees needs to be improved to meet\nthe requirements of the Computer Security Act of 1987 and OMB Circular\nA-130. The current security requirements are included mainly in:\n(1) a contract with the SIPEBES contractor; and (2) a general security\nplan submitted to GPO by the contractor. The general security plan\nsubmitted by the contractor, however, does not address all established\nsecurity plan requirements. Further, SSA failed to ensure that GPO\nhad all mandated security requirements in place in the KPT contract.\nSpecifically lacking were: (1) employee rules of conduct; (2) systems\nsecurity awareness and training; and (3) an on-site security inspection\nbased on the acceptable level of risk that is established in the\nrules of the system.\nEmployee Rules of Conduct and Instruction\nAlthough we believe the physical security at KPT is\nadequate, we found that there were no specific written rules of conduct\nand instruction for employees. The Privacy Act, 5\xc2\xa0United States\nCode (U.S.C.), section 552a(e)(9) and (10), requires Federal agencies\nthat maintain a system of records to establish rules of conduct and\ninstruction for persons involved with that system.\nIndividuals involved with a sensitive information system\nneed to know what conduct is expected of them and the consequences\nwhen they deviate from it. For example, the contractor`s employees\nshould know their roles and duties with regard to protecting SIPEBES\nsensitive information. They should also be made aware of the law\nand know the penalties for the mishandling, divulging, or other misuse\nof this information.\nSecurity Awareness and Training Programs\nA security plan should contain requirements for systems\nsecurity awareness initiatives and security-related training programs\nfor personnel based on the requirements and what their jobs entail.\nSuch requirements do not exist in the contract with KPT or KPT\xc2\x92s\ngeneral security plan. SSA needs to establish systems security awareness\nand training programs for contractor employees based on rules of\nconduct established in accordance with the Privacy Act of 1974, the\nComputer Security Act of 1987, and OMB Circular A-130.\nSecurity Inspections at the Contractor`s Site\nAs part of the security plan, SSA needs to perform\ninspections at the contractor\xc2\x92s site to ensure that acceptable\nlevels of risk that are established in the rules for the SIPEBES\nsystem are met. According to OMB Circular A-130, the security of\na system will degrade over time, as the technology evolves and as\npeople and procedures change. Therefore, the inspections should ensure\nthat management, operations personnel, and technical controls are\nfunctioning effectively. Without such inspections, there may be needless\nsecurity risks.\nCONCLUSIONS\nAND RECOMMENDATIONS\nCONCLUSIONS\nOur review of completed SIPEBES and our examination\nof related SSA functional requirements and validation tests for its\nsystem`s accuracy showed that the system was working properly.\nWe also found that, in general, the physical security\ncontrols at the SIPEBES contractor`s site were adequate. We saw\nno indication of any significant internal control breakdowns of physical\nsecurity at the site. The contractor management showed a supportive\nattitude toward their control responsibilities and contractor personnel\nwere generally aware of the control procedures they were to follow\nand their respective responsibilities.\nSSA, however, needs to develop a security plan for\nthe SIPEBES information system. To be in full compliance with governing\nlaws, SSA needs to take action to develop its own security plan that\nextends to its SIPEBES contractor.\nRECOMMENDATIONS\nWe recommend that SSA develop a security plan, in accordance\nwith established law and regulations, which includes:\nspecific security requirements for contractor personnel\nto follow, and the consequences for not following them;\nsystems security awareness initiatives and security-related\ntraining programs for contractor personnel based on the requirements;\nand\nperiodic security inspections at the contractor\xc2\x92s\nsite to ensure that the security plan is operating and/or to determine\nwhether further improvements are needed.\nSSA COMMENTS\nSSA responded to a draft of this report and agreed\nwith our findings and recommendations to address the internal control\nweaknesses identified. Some minor revisions have been incorporated\ninto this report based on SSA\xc2\x92s comments. SSA\xc2\x92s written\nresponse is included in its entirety as Appendix A.\nAPPENDICES\nAPPENDIX B\nOffice of the Inspector General\nRoger Normand, Director, Northern Program Audit\nDivision\nEmil Mallek, Deputy Director, Northern Program Audit Division\nRichard W. Devers, Senior Auditor\nMichael Thomson, Auditor\nFrancis Cassidy, Auditor\nPrivacy Policy | Website\nPolicies & Other Important Information\xc2\xa0| Site\nMap\nNeed Larger Text?\nLast reviewed or modified'